Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155251 - httpd suexec targeted policy issues
Summary: httpd suexec targeted policy issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 156323
TreeView+ depends on / blocked
 
Reported: 2005-04-18 15:52 UTC by Joe Orton
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2005-645
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-05 16:34:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:645 qe-ready SHIPPED_LIVE SELinux policy bug fix update 2005-10-05 04:00:00 UTC

Description Joe Orton 2005-04-18 15:52:38 UTC
Description of problem:
/usr/sbin/suexec should have permission to create and write to
/var/log/httpd/suexec.log, and doesn't work without it; after configuring suexec
in httpd I get:

audit(1113839139.454:0): avc:  denied  { write } for  pid=29554
exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t
tclass=dir

I'm also getting this error:

audit(1113839139.453:0): avc:  denied  { net_bind_service } for  pid=29554
exe=/usr/sbin/suexec capability=10 scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=capability

which is possibly some NIS or nscd thing when doing the username lookup?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.88

Comment 1 Daniel Walsh 2005-04-19 15:54:42 UTC
Do you have allow_ypbind boolean set

getsebool allow_ypbind
allow_ypbind --> inactive

If it is inactive you can turn it on with

setsebool -P allow_ypbind=1

Does that eliminate the net_bind_service?

Can you setenforce 0 before running you httpd_suexec app?  To tell me what other
privs it needs?

Dan



Comment 2 Joe Orton 2005-04-19 17:13:54 UTC
Yes, I do have allow_ypbind=1 enabled (I haven't changed that so I presume it
was set since installation).

After "setenforce 0" and rm'ing suexec.log, I get three denials from a
successful suexec invocation:

<3>audit(1113930658.196:0): avc:  denied  { write } for  pid=6211
exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t
tclass=dir
<3>audit(1113930658.196:0): avc:  denied  { add_name } for  pid=6211
exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:httpd_log_t tclass=dir
<3>audit(1113930658.197:0): avc:  denied  { create } for  pid=6211
exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t
tcontext=root:object_r:httpd_log_t tclass=file


Comment 3 Joe Orton 2005-04-19 17:17:20 UTC
I can't reproduce the net_bind error now.  What should trigger that?

Comment 4 Joe Orton 2005-04-19 17:24:41 UTC
Hmmm, I was catching the denials from "cat /proc/kmsg", maybe that's not such a
good idea.  In /var/log/messages I now have this interesting stuff:

Apr 19 18:20:20 tango kernel: audit(1113931220.257:0):ac dne {ntbn_evc  o pd66
x=ursi/uxccpblt=0sotx=otsse_:tp_uxcttotx=otsstem_r:httpd_suexec_t tclass=capabilit
Apr 19 18:20:40 tango kernel: <3adt11912.5:) v: eid  rt  o pd66 x=ursi/uxcnm=tp
e=d3io1041s

[sic]


Comment 5 Daniel Walsh 2005-05-12 19:51:05 UTC
There is a test policy out on ftp://people.redhat.com/dwalsh/SELinux/u2

Need policy files and checkpolicy.

Dan

Comment 10 Daniel Walsh 2005-09-15 16:07:24 UTC
Closed by accident

Comment 13 Red Hat Bugzilla 2005-10-05 16:34:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-645.html



Note You need to log in before you can comment on or make changes to this bug.